Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/4/2017
04:43 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NSA Employee Pleads Guilty to Illegally Retaining National Defense Secrets

Nghia Hoang Pho faces up to eight years in prison for removing highly classified NSA data from workplace and storing it at home.

A software developer at the National Security Agency's elite Tailored Access Operations (TAO) hacking unit has pleaded guilty to unlawfully bringing home sensitive agency data that later ended up getting stolen from his personal computer by Russian state-sponsored actors.

Nghia Hoang Pho, 67, of Ellicott City, Md. faces up to eight years in prison for willfully retaining national defense information when he goes up for sentencing April 6, 2018.

Pho is the third NSA employee in recent years to be charged in connection with the misappropriation of highly classified information. His actions - and the public release of a big cache of NSA attack tools by the Shadow Brokers hacking crew last year - highlight the agency's continuing struggles protecting sensitive secrets more than four years after the Edward Snowden leaks.

"There were clearly multiple failures that occurred. Both active and detective technical controls failed," says Simon Gibson, security architect at Gigamon and former Bloomberg CISO. "To me, this whole situation reads like a problem any sloppy or overworked software shop might have. Only it’s not a software shop - it's the NSA," Gibson says.

A court document released last Friday in connection with Pho's plea agreement shows that he worked on highly classified and specialized projects at the agency. In his role as a TSA operative Pho had access to sensitive information on the cyber weapons and exploits developed at the NSA for surveillance and offensive cyber operations against foreign adversaries.

Pho has admitted to removing some of that data from his workplace and retaining it at home. The activity took place over a five-year period between 2010 and March 2015 and included both digital data and data in paper form. The plea agreement and a statement that the Justice Department released last week do not indicate why exactly Pho brought home the data despite knowing about the NSA's strict policies against the practice. However, the motive does not appear to have been malicious.

Pho stored some of the classified data from his workplace on a home computer protected by Moscow-based Kaspersky Lab's antivirus software. Russian hackers are believed to have later discovered the NSA tools on Pho's computer and stolen the data by exploiting Kaspersky's antivirus software.

The NSA itself first learned of the Russian theft from Israeli cyberspies who had previously broken into Kaspersky's AV system and was quietly monitoring it. The data theft incident is believed to be the primary cause for the US government formally banning federal agencies from using Kaspersky Lab's products.  

The security vendor has strongly rejected suggestions that it has helped Russian cyber actors search computers running Kaspersky's AV software, for classified US data. Kaspersky Lab officials have noted that the company's automated malware scanners discovered the NSA hacking tools on Pho's computer in an archive containing multiple known malware samples. The archive was uploaded to the Kaspersky AV network for further inspection and analysis. After Kaspersky Lab security analysts identified some of the data in it as belonging to the NSA they were instructed to promptly delete the data, the company has claimed.

Kaspersky Lab has said an internal investigation it conducted recently found no evidence at all that its researchers helped Russian agents find and steal the data from Pho's computer.

Tom Kellermann, CEO of Strategic Cyber Ventures, describes Pho's decision to take classified material home as disheartening. "I am surprised that as a cybersecurity expert, his own operational security was subpar," he says. "Even if this was allowed he should have been using robust American-made EDR [endpoint detection and response] security rather than what he had in place."

Pho is the third individual that has been charged with stealing or misappropriating NSA data in recent years. In 2016, Harold Martin, a long time NSA employee was arrested for stealing a staggering 50 terabytes of agency data in digital and hard-copy form over a 20-year period. In June this year, government contractor Reality Winner was accused of stealing a top-secret NSA document and providing it to the media.

The government's pursuit and prosecution of such individuals needs to extend all the way to the top, says Kathie Miley, chief operating officer at Cybrary. "There is no question that transporting the materials to the NSA employee’s home was illegal. Therefore, it is not a surprise to see that the government has prosecuted and obtained a guilty plea from the defendant," Miley says.

"What would be more interesting is to see the NSA prosecute other government officials who have committed equally illegal acts of transporting sensitive data to unauthorized networks," she says. "The Russians have clearly shown their capacity and intent to infiltrate not only the homes of government employees, but [also] that of any infrastructure related to a politician and high-ranking official."

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
12/5/2017 | 9:00:18 AM
Re: Procedural Failures
Walking out of building with protected data of ANY kind is a crime.  NSA should have better protocols in place to monitor file transfers to, say, a USB stick.  (That technology does exist by the way).  Email transfers can and should be blocked to outside accounts.  And if you are a government agency with contractors, monitoring THEIR home computers would be a good idea too.   But stupid contractors who think they can get away with this crap are the true morons.  Hope he or she goes away for a long time and has security clearance revoked.  There is always that Burger King job awaiting too.  
AnonymousU74404
50%
50%
AnonymousU74404,
User Rank: Apprentice
12/4/2017 | 7:40:53 PM
Procedural Failures
It's good they are prosecuting individuals, but really surprised the blame stops there. Procedural Failures and culture are issues that breed these behaviors. It will continue to happen if they don't address big picture.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.